b'              GENERAL CONTROLS OVER THE\n          ELECTRONIC DOCUMENT ACCESS SYSTEM\n\n\nReport No. D-2001-029               December 27, 2000\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Information and Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil or contact the Secondary Reports Distribution\n  Unit of the Audit Followup and Technical Support Directorate at (703) 604-8937\n  (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)             Assistant Secretary of Defense (Command, Control,\n                        Communications, and Intelligence)\nDEBX                 Defense Electronic Business Exchange\nDECC                 Defense Enterprise Computer Center\nDFAS                 Defense Finance and Accounting Service\nDISA                 Defense Information Systems Agency\nDITSCAP              DoD Information Technology Security Certification and\n                        Accreditation Process\nEDA                  Electronic Document Access\nJECPO                Joint Electronic Commerce Program Office\nMOCAS                Mechanization of Contract Administrative Services\nMOU                  Memorandum of Understanding\nNIPRNET              Non-secure Internet Protocol Routing Network\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-029                                           December 27, 2000\n (Project No. D2000FG-0057)\n\n                          General Controls Over the\n                      Electronic Document Access System\n\n                                Executive Summary\n\nIntroduction. The Joint Electronic Commerce Program Office (JECPO) initiated the\nElectronic Document Access (EDA) system as part of the DoD Paper-Free Contracting\nInitiative. EDA contributes to the initiative by digitizing paper documents and offering\nweb-based read-only access to official contracting, finance and accounting documents.\nPersonnel at the Defense Finance and Accounting Service (DFAS) Columbus rely on\nthe EDA system to make more than 82,000 contract payments each month. The\nDirector, DFAS Columbus, requested that we review the EDA system to determine\nwhether sufficient safeguards are in place to ensure the security of electronically\ntransmitted contractual data.\n\nObjectives. The audit objective was to determine whether the security of the EDA\nsystem was adequate. The audit included reviews of selected general controls,\ncompliance with the Chief Financial Officers Act requirements, and the management\ncontrol program as it related to the overall objective. The report discusses DFAS\nimplementation of the EDA system as it applies to DFAS Columbus.\n\nResults. The EDA system security controls were not sufficient and could not provide\nreasonable assurance that EDA data transmitted electronically and used by DFAS\nColumbus were secure. JECPO implementation of EDA and DFAS security for EDA\nneeded improvement. Unless corrective actions are taken, EDA data could be altered\nor misused. See Appendix A for details on the management control program as it\nrelates to controls over the EDA system.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) (ASD(C3I)) revise the\nElectronic Business/Electronic Commerce Strategic Plan to address security\nresponsibilities and requirements. We recommend that the Director, JECPO, in\ncoordination with DFAS and the Defense Information Systems Agency, develop the\nSystem Security Authorization Agreement to provide end-to-end security for EDA;\nincorporate all relevant elements as outlined in the DoD Information Technology\nSecurity Certification and Accreditation Process manual; develop and execute the EDA\nsystem test and evaluation to include all EDA users; and, incorporate security\nrequirements and review guides within the Memorandums of Understanding with EDA\ndocument providers and users. We recommend that the DFAS Chief Information\nOfficer complete the security training curriculum for information security managers.\nWe recommend the Director, DFAS Columbus, require the information security\n\x0cmanager to document and execute a plan to implement and enforce all applicable\nsecurity policies and safeguards over the Columbus systems; to develop access profiles\nfor all personnel having access to EDA and DFAS Columbus systems; and, assess and\nprovide the resources and training the information security manager needs to perform\ninformation security functions.\n\nManagement Comments. ASD(C3I) concurred with revising the Electronic\nBusiness/Electronic Commerce Strategic Plan to address specific security\nresponsibilities and requirements. JECPO concurred with developing the System\nSecurity Authorization Agreement for EDA in coordination with DFAS and DISA;\ndeveloping and executing the EDA security test and evaluation; and, incorporating\nsecurity requirements within Memorandums of Understanding and review guidelines\nwith EDA document providers. DFAS concurred with the need for security training\nfor information security managers; that the information security manager document and\nexecute a plan for implementing security policies and safeguards; that the information\nsecurity manager attend training on information security topics; and, that the Director,\nDFAS Columbus redirect or request additional resources for the information security\nmanager. DFAS nonconcurred with developing EDA access profiles for users, stating\nthat EDA access is read only. DFAS also nonconcurred with the existence of a\nmanagement control weakness regarding the alteration and accuracy of EDA documents\nand the need for signatures on contracting documents. See the Finding section of the\nreport for details on the management comments and the management comments section\nfor the complete text of management comments.\n\nAudit Response. Comments from ASD(C3I) were responsive; however, they did not\nspecify when a revision to the Electronic Business/Electronic Commerce Strategic Plan\nwould be accomplished. We request that ASD(C3I) provide the date in comments on\nthe final report. Comments from JECPO were responsive on incorporating security\nrequirements and review guidelines within the Memorandums of Understanding.\nJECPO comments on the development of the System Security Authorization Agreement\nare responsive. However, the comments did not provide a date when the agreement\nmay be finalized, so we request that JECPO provide a completion date for the finalized\nagreement. JECPO comments on the development and execution of the EDA system\ntest and evaluation are responsive. However, the comments stated that an EDA system\ntest and evaluation was completed in September 2000 and that final recommendations\nwould be reviewed and appropriate corrective actions would be implemented. The\ncomments did not specify when those corrective actions would occur. We request that\nJECPO identify when they will be implemented. Comments from DFAS regarding\ncompletion of a security training curriculum in accordance with the Assistant Secretary\nof Defense (Command, Control, Communications, and Intelligence) June 29, 1998,\nmemorandum on Information Assurance training are responsive. Although DFAS\nnonconcurred regarding the need for access profiles, the decision to review each\nperson\xe2\x80\x99s system accesses meets with the intent of the recommendation. DFAS also\nnonconcurred that a material management control weakness existed. We believe that\nthe nature of the issues identified clearly warrants reporting a material weakness.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                            i\n\nIntroduction\n     Background                                                              1\n     Objectives                                                              3\n\nFinding\n     Implementation of Security Safeguards Within the Electronic Document\n       Access System                                                         4\n\nAppendixes\n     A. Audit Process\n         Scope                                                              18\n         Methodology                                                        19\n         Management Control Program Review                                  19\n     B. Prior Coverage                                                      21\n     C. Report Distribution                                                 22\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and, Intelligence)                                                   24\n     Defense Information Systems Agency                                     25\n     Defense Finance and Accounting Service                                 30\n\x0cBackground\n    During their audit of the FY 1999 Air Force financial statements, the Air Force\n    Audit Agency requested more than 11,000 paper documents from DFAS\n    Columbus to support sampled electronic transactions. Subsequent to the Air\n    Force audit, the Director, DFAS Columbus, requested that we review the\n    Electronic Document Access (EDA) system to determine whether sufficient\n    safeguards are in place to ensure the security of electronically transmitted\n    contractual data and reduce hard copy verification requirements.\n\n    Paper-Free Contracting Initiative. On May 21, 1997, the Under Secretary of\n    Defense (Comptroller) directed the implementation of a paper-free contracting\n    process and stated the need to simplify and modernize the acquisition process in\n    contract writing, administration, finance, and auditing. However, the Under\n    Secretary\xe2\x80\x99s direction did not address security.\n\n    Joint Electronic Commerce Program Office. To support the Paper-Free\n    Contracting Initiative, the Deputy Secretary of Defense, under Defense Reform\n    Initiative Directive 43, \xe2\x80\x9cDefense-wide Electronic Commerce,\xe2\x80\x9d May 20, 1998,\n    directed the establishment of the Joint Electronic Commerce Program Office\n    (JECPO) as an entity under the policy direction of the Assistant Secretary of\n    Defense for Command, Control, Communications, and Intelligence,\n    (ASD(C3I)), to integrate electronic commerce in the full DoD business cycle.\n    On November 24, 1998, JECPO was chartered to implement electronic\n    commerce within DoD. However, the charter did not address electronic\n    commerce security.\n\n    Electronic Document Access. JECPO initiated EDA as part of the DoD Paper-\n    Free Contracting Initiative to reduce the amount of paper used and stored by\n    DoD contracting personnel, to reduce the contract payment cycle time, and to\n    facilitate the sharing of information among DoD personnel. EDA contributes to\n    the initiative by digitizing paper documents and offering web-based read-only\n    access to official contracts and modifications, vouchers, Government bills of\n    lading, and accounting and finance documents.\n\n    EDA System Process. The following figure illustrates the EDA process and\n    flow of data within EDA.\n\n\n\n\n                                        1\n\x0cDocuments are entered into the EDA system from DoD contracting\norganizations. Currently, there are nine contracting organizations (data\noriginating sites) that generate information for use in EDA. The contract\ndocuments are generated using the Standard Procurement System or legacy\ncontract writing systems. For those organizations using the Standard\nProcurement System, PostScript printing software is used to send the data\ndirectly through the Defense Electronic Business Exchange (DEBX) for\nconversion into portable document format to the Defense Enterprise Computer\nCenter (the computer center) at Ogden, Utah. For legacy systems, document\nfiles are sent to the Defense Automated Printing Service for conversion into\nportable document format. Once converted into portable document format, all\nof the file indexes generated by the Defense Automated Printing Service are sent\nto the computer center at Ogden for storage and queries from users. The\ncomputer center at Ogden maintains the file indexes for the Standard\nProcurement System files and Defense Automated Printing Service converted\nfiles. The computer center at Ogden transmits an updated index listing of the\nportable document format files every 2 hours to the computer center at\nColumbus, Ohio, for use by DFAS Columbus payment personnel.\n\nEDA users include personnel from the data originating sites, such as\nprocurement contracting officers, administrative contracting officers, DFAS\npayment personnel, and systems administrators. To access EDA, a DoD user\nnetwork must have a connection through the Non-secure Internet Protocol\nRouting Network (NIPRNET), which is a DoD unclassified data\n\n\n                                   2\n\x0c     communications network. Local terminal area security officers are the liaison\n     between the users and the computer center at Ogden and are responsible for\n     requesting logons for DFAS employees with approval from their supervisor.\n     The computer center personnel at Ogden assign and maintain the logons in the\n     EDA system. Once a logon is assigned, the user may query either the computer\n     center at Ogden or the computer center at Columbus EDA servers for EDA\n     documents. The queried EDA server then displays a portable document format\n     image of the electronically generated document to the user.\n\nObjectives\n     The audit objective was to determine whether the security of the Electronic\n     Document Access was adequate. The audit included reviews of selected general\n     controls and compliance with the Chief Financial Officers Act requirements and\n     the management control program as it related to the overall objective. Refer to\n     Appendix A for discussion of the management control program and Appendix B\n     for prior coverage.\n\n\n\n\n                                        3\n\x0c           Implementation of Security Safeguards\n           Within the Electronic Document Access\n           System\n           Security controls over the EDA system were not sufficient to provide\n           users with reasonable assurance that data transmitted electronically and\n           used by DFAS Columbus were accurate. This lack of sufficient security\n           controls for EDA occurred because:\n\n               \xe2\x80\xa2   security responsibilities are not defined;\n\n               \xe2\x80\xa2   an end-to-end assessment of security has not been completed,\n\n               \xe2\x80\xa2   DFAS security and training requirements are not defined, and\n\n               \xe2\x80\xa2   DFAS Columbus security staff lacked adequate resources.\n\n            As a result, risk existed that data maintained in EDA could be altered or\n            misused. Further, auditors would remain unable to rely on EDA system\n            controls, so verification of the transactions would remain labor intensive\n            and administratively burdensome.\n\nGuidance and Responsibility for Securing EDA\n    DoD System Security Requirement. DoD Directive 5200.28, \xe2\x80\x9cSecurity\n    Requirements for Automated Information Systems (AIS),\xe2\x80\x9d March 21, 1988,\n    provides guidance on mandatory minimum automated information system\n    security requirements. Specifically, the Directive requires that heads of DoD\n    Components shall ensure that periodic independent reviews of the security and\n    protection of their automated information system are accomplished to ensure\n    compliance with stated security goals.\n\n    DoD System Certification and Accreditation Manual. DoD Manual 5200.40,\n    \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation Process\n    (DITSCAP) Application Document,\xe2\x80\x9d December 1999, (the accreditation\n    process), establishes standards for certifying and accrediting the security of DoD\n    systems throughout their life cycle. A certification is a comprehensive\n    evaluation of the technical and non-technical security features of an information\n    technology system and other safeguards. The certification supports the\n    accreditation process that determines whether a particular design and\n    implementation meet a set of specified security requirements. The accreditation\n    is a formal declaration by a designated approving authority that an information\n    technology system is approved to operate in a particular security mode using a\n    prescribed set of safeguards. Before a system can be certified and accredited,\n    the accreditation process requires the completion of a System Security\n    Authorization Agreement (security agreement) and the system test and\n    evaluation.\n\n\n                                        4\n\x0cSystem Security Authorization Agreement. The security agreement is a\nformal binding agreement between the organizations responsible for operating\nand securing the system. The agreement is between the designated approving\nauthority, the certification authority, information technology system\nrepresentatives, and the program manager. For EDA, these are the DFAS\nChief Information Officer, the Defense Information Systems Agency (DISA),\nand JECPO, respectively. The security agreement specifies the level of security\nrequired when the system development begins or when changes to a system are\nmade. The security agreement is designed to fulfill the requirements for a\nsecurity plan and to meet all the needs for certification and accreditation support\ndocumentation. The security agreement includes such items as the system\nmission, threats to the system, target environment, target architecture, security\nrequirements, and applicable data access policies, and resources. Using the\nsecurity agreement, the decision approving authority determines the\naccreditation based on the security safeguards, risk, corrective actions, and\ncompliance with the security agreement.\n\n       System Test and Evaluation. The objective of the system test and\nevaluation is to evaluate implementation of system security to ensure that\nautomated security features affecting confidentiality, integrity, and availability\nhave been implemented according to the security agreement, are performing\nproperly, and provide the required security features. The performance of a\nsystem test and evaluation may be a joint effort between the users, systems\nadministration, and program management. In the case of EDA, the system test\nand evaluation may include DFAS, DISA, and JECPO. The results of the\nsystem test and evaluation are included in the security agreement.\n\nDISA Security Readiness Reviews. DISA Field Security Operations personnel\nperform security readiness reviews on DISA facilities to identify security and\ninfrastructure deficiencies and to generate reports on the discrepancies.\nAccording to the \xe2\x80\x9cSecurity Readiness Review Process Guide,\xe2\x80\x9d July 30, 1999,\norganizations should be made aware of the results of the security readiness\nreview process and vulnerability assessment scans conducted at their site\nbecause they represent the major part of their certification and accreditation\nsecurity posture. Since certification tasks include a review and analysis of all\nprior security readiness review results to determine the security posture of the\nsite and its information systems or technology, it is in the best interest of the site\nto correct identified security vulnerabilities as quickly as possible.\n\nDFAS System Security Guidance. DFAS Regulation 8000.1-R, \xe2\x80\x9cInformation\nManagement Corporate Policy,\xe2\x80\x9d May 21, 1999, describes DFAS information\nsecurity requirements and implementing instructions, including the requirement\nthat all DFAS-owned automated information systems be certified and accredited\nin accordance with the \xe2\x80\x9cDFAS Certification and Accreditation Handbook,\xe2\x80\x9d\nMarch 6, 1998. The DFAS Handbook follows the same process and procedures\nas those described in the DITSCAP.\n\nEDA Security Responsibilities. The Under Secretary of Defense (Comptroller)\nissued \xe2\x80\x9cBusiness Rules for Electronic Document Access,\xe2\x80\x9d as a working draft on\nJune 24, 1999, and stated that they were effective immediately. According to\n\n\n                                      5\n\x0c    the business rules, EDA security is the responsibility of all organizations\n    involved in the process including JECPO, DFAS, DISA, the users, and data\n    originating sites. Participation by all parties is critical to ensure that security is\n    planned and managed as an end-to-end process. We commend the Director,\n    DFAS Columbus, for acknowledging a potential security weakness and\n    requesting Inspector General, DoD, assistance for an in-depth look at EDA\n    security.\n\nSecurity of EDA\n    Reliance on EDA. DFAS Columbus personnel rely on the information\n    accessed from EDA to make more than 82,000 contract payments each month,\n    and contracting officials throughout DoD rely on EDA data to monitor\n    contracts, contract modifications, Government bills of lading, and vouchers. In\n    addition, to provide opinions on DoD annual financial statements compiled by\n    DFAS, auditors must assess the reliability of information contained in EDA. If\n    they are unable to rely on the information contained in EDA, they must\n    significantly increase their sample size to test the integrity of the financial\n    information at DFAS Columbus. For example, the Air Force Audit Agency\n    required DFAS to produce 11,000 documents to verify the reliability of\n    electronic data. Therefore, the data maintained within EDA must be accurate\n    and secure to preclude unauthorized access and manipulation of data.\n\n    Adequacy of Security Efforts of EDA Data Used by DFAS Columbus. As\n    users and participants in the EDA process, DFAS, JECPO, and DISA, as well\n    as the originators of EDA data, have a responsibility to ensure the accuracy and\n    reliability of the information, and thus the security controls over EDA input,\n    access, and use. As such, they need to demonstrate reasonable assurance that\n    EDA data are accurate to users, and that security controls are in place and\n    periodically tested to provide an acceptable level of assurance.\n\n    Our review of EDA controls at DFAS Columbus, revealed that the controls\n    were not sufficient to provide reasonable assurance that data transmitted using\n    EDA were accurate. We identified examples of access control weaknesses and\n    other security vulnerabilities that reduced system reliability. In addition, the\n    Air Force Audit Agency identified weaknesses during the audit of the Air Force\n    FY 1999 financial statements that precluded their reliance on the security of\n    EDA data.\n\n            Access Control Issues. At DFAS Columbus, the information security\n    manager is responsible for implementing all security measures, and each\n    division is assigned a terminal area security officer who is responsible for\n    requesting access for EDA from the Ogden computer center. The terminal area\n    security officer reports to the information security manager at DFAS Columbus.\n\n\n\n\n                                           6\n\x0c                   The information security manager at DFAS Columbus has not\n           implemented the concept of least privilege for access to EDA.1 An access\n           control list based on least privilege can limit the damage that may result if the\n           concept of least privilege is ignored. An access control list specifies for each\n           named system or file, a list of named individuals with their respective level of\n           access to that system or file.\n\n                   The terminal area security officer within each division at DFAS\n           Columbus maintains a list of personnel who have access to EDA. The list,\n           however, is not based upon least privilege, security levels, or type of position\n           held at DFAS Columbus. Rather, access to EDA was granted based on a\n           supervisor\xe2\x80\x99s determination that an employee needed access regardless of\n           whether the individual had access to other systems that could be incompatible.\n           The supervisors at DFAS Columbus have not been provided the criteria they\n           needed to properly determine the level of access to EDA. Although the\n           information security manager is responsible for implementing security controls,\n           the Director, DFAS Columbus is responsible for providing the access criteria.\n\n                   We identified one DFAS Columbus employee who had sufficient access\n           to manipulate data and erase the audit trail because of access to EDA, the\n           Electronic Document Management System, the Electronic Data Interchange\n           system,2 and the Mechanization of Contract Administration Services (MOCAS).\n           This employee could change the Master Address File within the MOCAS system\n           which allows access to change contractor and government entity codes and\n           addresses, incorporate invoices, and have payments made by changing\n           significant parts of contracts within the MOCAS system. Coupled with access\n           to EDA, this person could access contracts, copy them, change relevant data,\n           and incorporate that data into the MOCAS system so that payments could be\n           made directly to that individual. We discussed this scenario with DFAS\n           Columbus management who agreed that access profiles are necessary to\n           determine whether other employees could have this capability. The information\n           security manager was unaware of the employee\xe2\x80\x99s access levels. DFAS\n           Arlington officials maintain that the same risk exists with paper contracts\n           received through the mail system; however, safeguards must be in place to\n           ensure that EDA does not make it easier to alter or misuse data.\n\n                  Although DFAS Columbus is working on establishing access control lists\n           based on least privilege, they could not tell us whether there were other\n           personnel who had the same type of access or state whether that type of access\n           occurred only once. At present, the information security manager can not\n           quantify the potential security risk.\n\n\n\n\n1\n    DoD Directive 5200.28 defines the concept of least privilege as that of each user is granted the most\n    restrictive set of privileges needed for the performance of their position.\n2\n    DFAS Columbus Site personnel are investigating the extent of this employee\xe2\x80\x99s access to the Electronic\n    Data Interchange system because DFAS personnel should only have view access.\n\n\n\n                                                       7\n\x0c        Security Vulnerabilities. The information security manager at DFAS\nColumbus was not aware of any security readiness reviews conducted on the\nEDA servers at the Columbus computer center. A security readiness review\nassesses the operating system and computer for vulnerabilities that would allow\nan intruder to perform malicious acts and destroy the audit trail. As part of its\nresponsibility to oversee security of DoD systems, DISA periodically conducts\nsecurity readiness reviews of systems to determine the reliability of the system\nand its data. In June 1999, DISA performed a security readiness review on the\nEDA servers at the Columbus computer center and reported 34 findings.\nAlthough the Columbus computer center has resolved the findings, the\ninformation security manager was unaware that the security readiness review\nwas completed or that findings had existed. The information security manager\nshould coordinate with DISA personnel to evaluate the security readiness\nreviews on the EDA servers and the subsequent results because the findings may\nimpact the security of the system.\n\n        Air Force Audit Agency Validation of EDA Data. In performing audit\nwork in support of the Air Force FY 1999 financial statements, the Air Force\nAudit Agency had to assess the accuracy of EDA and other data that support the\nfinancial statements. At DFAS Columbus, they were unable to rely on the EDA\ndata, and therefore had to do more work to validate amounts identified in EDA\ndocuments. The Air Force Audit Agency expended an additional 1.3 man-years\nof resources to validate the transactions; however, DFAS estimated that they\nused an additional 10 to 12 man-years to satisfy the Air Force Audit Agency\nrequest. According to the Air Force Audit Agency, about 30 percent of the\nEDA contracts reviewed did not contain signatures, which also resulted in\nadditional work for Air Force Audit Agency and DFAS personnel.\n\n        The Director, DFAS Columbus, stated that DFAS does not know why\nthere were no signatures on some of documents received. Further, the Director\nstated that DFAS assumes the documents entered into EDA are valid and\naccurate.\n\n         The Air Force Audit Agency contacted contracting officers to\nsubstantiate the documents maintained in EDA. Although all the EDA contracts\nproved to be valid, the Air Force Audit Agency stated that since the contracts\nare web-accessed, possible fraud could be generated by either a contracting\nofficer or other personnel with access to the EDA and other DFAS systems.\nCurrently, procurement and administrative contracting officers are inputting\ncontracting documents into EDA. The Air Force Audit Agency stated that an\nindividual with contracting officer access privileges could submit a contract\nwithout signatures and obtain a payment. Also, the Air Force Audit Agency\nstated that DFAS Columbus personnel use EDA contracting documents to enter\ndata into the MOCAS system to make automatic payments without human\nintervention. Because of concerns on the validity of the EDA data and its\nreliability, the Air Force Audit Agency needed to substantiate the data with the\nsigned and dated copies maintained at the contracting offices, consequently\nusing more resources and reducing the benefits of EDA.\n\n\n\n\n                                    8\n\x0cEDA Security Responsibilities\n     EDA security was insufficient because security responsibilities were not well\n     defined, an end-to-end assessment of security was not accomplished, security\n     training was inadequate, and the DFAS Columbus security staff lacked adequate\n     resources.\n\n     Security Definition. JECPO and DFAS did not clearly define EDA security.\n     According to JECPO officials, their focus has been on implementing electronic\n     commerce initiatives according to the Deputy Secretary of Defense mandate to\n     move toward paperless contracting by January 2000. Therefore, security was\n     not a priority while EDA was being implemented. JECPO officials stated that\n     security over EDA transactions should not be any greater than the same\n     transactions using paper documentation; however, no documented assessment of\n     the risks of digitizing contractual documents was available. JECPO and DFAS\n     officials also concluded that DISA was responsible for implementing security for\n     EDA because EDA ran on DISA computers. However, DISA officials stated\n     that they had no authority to mandate security controls for organizations outside\n     direct DISA control and that they would only implement security that is\n     specifically requested by the user site. Therefore, JECPO and DFAS did not\n     adequately assume responsibility for EDA security requirements and a\n     comprehensive security plan was not developed and finalized. For example, the\n     DoD Electronic Document Access Security Plan, working draft, dated July 15,\n     1996, does not address how security would be implemented for each of the\n     principals: JECPO, DFAS, DISA, and the document authors. The plan was not\n     finalized although JECPO estimates there are 15,000 EDA users. The lack of\n     EDA security can be partially attributed to the lack of security in the ASD(C3I)\n     Electronic Business/Electronic Commerce Strategic Plan. Although the strategic\n     plan provides a blueprint for DoD electronic business, the ASD(C3I) needs to\n     revise the plan to include security requirements to provide guidance for JECPO,\n     which reports to the ASD(C3I).\n\n     End-to-End Assessment of EDA Security. DFAS Arlington had taken steps to\n     partially address EDA end-to-end security by initiating Memorandums of\n     Understanding in October 1997 with EDA data originating sites. The\n     agreements with DFAS and the data originating sites describe the terms in which\n     the document provider would no longer supply paper copies of contracting\n     documents to DFAS Columbus. However, DFAS does not review the\n     Memorandums of Understanding once they are established because DFAS does\n     not have the authority to mandate end-to-end security requirements for\n     electronic business.\n\n     The Memorandum of Understanding states that it is the responsibility of the data\n     originating sites to ensure the validity of the documents entered into EDA.\n     Further, the Memorandum of Understanding indicates that in order to\n     implement EDA and turn off the use of paper between the requesting\n     organization and DFAS, documents released to EDA must be approved,\n\n\n\n\n                                         9\n\x0c          authentic and legal, readable, and identical to the signed paper copy. The\n          Memorandum of Understanding is silent on signature requirements, and DFAS\n          assumes that the data originating sites would not enter invalid contracts into\n          EDA.\n\n          JECPO, through the ASD(C3I), has the authority to implement end-to-end\n          security requirements for EDA. Therefore, JECPO, rather than DFAS, 3 should\n          incorporate security requirements in the Memorandum of Understanding, and\n          also establish the review requirements for the EDA data originating sites and\n          users. In addition, to ensure the security of the system from the data originating\n          sites through the Defense Electronic Business Exchange or the Defense\n          Automated Printing Service to the users of EDA data, an assessment of EDA\n          security should be made to address the end-to-end process. Such an end-to-end\n          assessment would be consistent with the accreditation process and should\n          include the System Security Authorization Agreement and the System Test and\n          Evaluation.\n\n                  System Security Authorization Agreement. The accreditation process\n          establishes a standard, integrated approach to protecting and securing a system.\n          The DITSCAP describes the security agreement as the vehicle that defines the\n          implementation of information technology security requirements. A security\n          agreement describes the system from definition through system test and\n          evaluation, risk assessments, system rules of behavior, contingency planning,\n          accreditation documentation and accreditation statements, and security\n          responsibilities. Thus, a security agreement should provide a comprehensive\n          end-to-end assessment of EDA.\n\n                   Because the system is implemented by JECPO, used by DFAS and\n          contracting offices, and operated by DISA, it is essential that a security\n          agreement be developed to coordinate EDA security requirements among these\n          organizations. Although the designation of responsibilities for security over\n          EDA is undefined, JECPO, as the DoD-wide integrator of electronic commerce\n          initiatives, should initiate the development of the security agreement for the\n          EDA system. The development of the security agreement should include\n          coordination with the DFAS and DISA to incorporate all relevant elements as\n          outlined in the DITSCAP accreditation process manual. The security agreement\n          should be developed which specifies security responsibilities for JECPO, DFAS,\n          DISA, and the data originating sites.\n\n                 EDA system certification and accreditation can not be achieved without\n          the development of the security agreement. However, the DFAS Chief\n          Information Officer issued an Interim Approval to Operate on October 22,\n          1999, through October 23, 2000, based on a verbal presentation. The DFAS\n          Chief Information Officer extended the Interim Approval to Operate on\n\n3\n    As part of the System Security Authorization Agreement with DFAS and other EDA users, JECPO may\n    delegate authority to DFAS or other activities to oversee enforcement of the Memorandum of\n    Understanding depending upon resource constraints. However, JECPO must determine that the\n    Memorandum addresses EDA data security.\n\n\n\n                                                 10\n\x0cOctober 24, 2000, for 180 days so that JECPO could have time to finalize\nMemorandums of Understanding with interfacing systems and finalize the draft\nSystem Security Authorization Agreement.\n\n        According to the DITSCAP, an interim approval to operate is a\ntemporary approval that may be issued for no more than a one-year period after\nthe security agreement and system test and evaluation are developed and tested.\nThe DFAS Chief Information Officer granted the approval of the EDA interim\napproval to operate acknowledging that EDA security needs improvement, but\nthe benefits of operating the system outweigh the risks. Although the DFAS\nChief Information Officer provided the approval to operate, JECPO has the\nresponsibility for integrating electronic commerce in DoD. As such, JECPO\nshould develop the security agreement for EDA in coordination with DFAS and\nDISA to incorporate all relevant elements as described in the DITSCAP, prior\nto expiration of the 180 days extension, when the extended interim authority to\noperate expires. The development of the security agreement is essential for\nensuring that security requirements are addressed and that joint responsibility\nfor security is delegated as appropriate.\n\n        System Test and Evaluation. According to the DITSCAP, once a\nsecurity agreement has been established, a system test and evaluation should be\nperformed prior to certification to assess the security infrastructure and to\ndetermine whether security features have been implemented according to the\nsecurity agreement. Specifically, the system test and evaluation validates\nidentification and authentication, audit trail capabilities within the system, and\nthe rules that define how the network connection is implemented. According to\nthe DITSCAP, the system test and evaluation should include test procedures on\ntechnical hardware and software security requirements to test the correct\nimplementation of the security policy. Also, security functional testing must\nevaluate the system to determine whether installation procedures were correctly\nimplemented.\n\n        The lack of an evaluation may result in the improper integration and\noperation of all security features affecting confidentiality, integrity, and\navailability of the system. Although the responsibility for EDA security is not\nclear, JECPO as the DoD organization responsible for electronic commerce\nimplementation should initiate planning for testing and evaluating the EDA\nsystem.\n\n        The system test and evaluation process should document the procedures\nnecessary to measure security at DISA, DFAS, and data origination sites\nbecause neither DFAS nor DISA has the authority to enforce security outside\ntheir own agencies. The system test and evaluation should determine whether\nsecurity controls are working as intended and that all parties are following the\ncontrols described in the security agreement.\n\nDFAS Training and Security Requirements. DFAS Columbus is a user of\nEDA and must ensure the adequacy of EDA security. Information security\n\n\n\n\n                                    11\n\x0ctraining is essential to meeting the security requirements within any organization\nbecause of the rapid movement into the electronic commerce arena. Information\nsystem security managers and security staff are the focal point in any\norganization for information system security.\n\n        Security Training. The Director, DFAS Columbus, had not ensured\nthat the information security manager received the necessary security training.\nAccording to DFAS Regulation 8000.1-R, the DFAS Directors supervise\nsecurity personnel and manage DFAS security policy for systems under their\ncontrol and within the sites. The information security manager is an essential\nelement to the overall security at DFAS Columbus. However, the information\nsecurity manager stated that training on information management, security\ncontrols, physical and access controls had not been received. The only training\nfor the information security manager included attendance at security conferences\nwith no in-depth detailed training on information management and security\ncontrols. The Director, DFAS Columbus, should require the information\nsecurity manager to attend training on information management and information\nsecurity controls, planning and administration of the security program, access\ncontrol, network security measures, electronic commerce security issues, and\nphysical protection of the computing facilities.\n\n        DFAS Chief Information Officer Information Assurance Training.\nOn June 29, 1998, the ASD(C3I) requested that the Under Secretary of Defense\nfor Personnel and Readiness identify a common set of information assurance\ntraining and certification requirements for military and civilian occupation\nspecialties. The memorandum directs that DoD Components shall demonstrate\nfull compliance through the development and implementation of certification\nplans and procedures for all DoD employees who use DoD computer systems or\nperform the duties of system administrators and maintainers. In Inspector\nGeneral, DoD, Report No. 99-107, \xe2\x80\x9cComputer Security for the Defense\nCivilian Pay System,\xe2\x80\x9d March 16, 1999, we recommended that DFAS revise\nDFAS Regulation 8000.1-R to outline specific training requirements for each\nsecurity position commensurate with assigned functional responsibilities. DFAS\nconcurred with the recommendation.\n\n        The DFAS Chief Information Officer had not developed the training\ncurriculum for security officers (information security manager, information\nsystem security officers, and terminal area security officers) as required by the\nASD(C3I). The DFAS Chief Information Officer acknowledged that they are\nrevising the training requirements that were due out in August 2000, including\nrequirements for each type of security officer. Because of increased reliance on\nautomation and the need for proper controls and access, it is critical for those\nresponsible for security to be knowledgeable of the systems security\nrequirements and potential vulnerabilities. Once trained, these personnel should\nbe better able to identify and oversee security requirements for DFAS Columbus\nsystems and processes. The DFAS Chief Information Officer needs to complete\nthe development of a training curriculum to qualify information security\nmanagers for their positions.\n\n\n\n\n                                    12\n\x0c   DFAS Columbus Security Efforts for EDA. In addition to not having\n   available a training curriculum, DFAS Columbus also lacked sufficient staff to\n   adequately perform the security functions described in DFAS\n   Regulation 8000.1-R or to review the DFAS Columbus information systems,\n   including EDA.\n\n           Security Resources. The Director, DFAS Columbus, did not ensure\n   that the information security manager had the personnel resources to enforce\n   applicable security policies. The information security manager was formally\n   assigned in February 2000 after serving as an alternate since 1998. The\n   information security manager and an alternate are responsible for all information\n   security at DFAS Columbus. However, the alternate does not actively\n   participate in specific system security because of responsibilities with the DFAS\n   Columbus network. Each system at DFAS Columbus was to have an\n   information system security officer to help address security concerns for\n   particular systems. According to the DFAS Columbus information security\n   manager, the information system security officers have not been appointed. The\n   information security manager must have the resources to protect DFAS\n   Columbus information systems. The Director, DFAS Columbus, should also\n   assess and provide the resources the information security manager needs to\n   perform the functions outlined in DFAS Regulation 8000.1-R.\n\n           Security Reviews. According to DFAS, because of limited staff, the\n   information security manager had not developed an overall plan to review\n   systems, to review security readiness review results, or coordinate remedies\n   with DISA. For the same reason, the information security manager had been\n   unable to conduct periodic independent reviews of system adequacy. For EDA\n   and other systems, the information security manager had not developed access\n   control lists (profiles) to preclude employees from having access greater than\n   needed. As a result, employees that changed jobs may have retained access\n   privileges to systems they no longer needed access to. This could result in an\n   employee gaining sufficient access to potentially commit fraud or to perform\n   malicious acts without detection.\n\n          To improve security at DFAS, the Director, DFAS Columbus, needs to\n   require the information security manager to document and execute a plan to\n   implement and enforce all applicable security policies and safeguards. The\n   information security manager should also develop access profiles for all\n   personnel having access to the EDA and other DFAS Columbus systems.\n\n\nSummary\n   The general controls for the EDA system at DFAS Columbus did not provide\n   reasonable assurance that the system was adequately protected. As such, the\n   EDA security weaknesses allowed the risk of undetected fraud or misuse. The\n   lack of a security agreement or a system test and evaluation increases the risk of\n   data inaccuracy and that implemented security may not be operating as intended.\n   JECPO oversight needs to be expanded to include the development of the\n\n\n                                       13\n\x0csecurity agreement for the EDA system and the conduct of a system test and\nevaluation to reduce risk. An EDA system test and evaluation should be\ndeveloped and testing accomplished to provide assurance that the EDA system is\nprotected and operating as intended.\n\nThere was not a reasonable basis to rely upon DFAS Columbus controls to\nprevent fraud or misuse because the lack of resources and training for the\ninformation security manager position. Also, the lack of knowledge by the\ninformation security manager of system vulnerabilities increases the risk of\nintrusion.\n\nAdditionally, DFAS estimated that 10 to 12 man-years were necessary to gather\nthe documentation needed by the Air Force Audit Agency for reviewing\nelectronic transactions to support their FY 1999 financial statement audits.\nBecause of the limited reliability of DFAS Columbus security for their\nelectronic transactions, the Air Force Audit Agency required DFAS Columbus\nto provide more than 11,000 paper documents to support the sampled electronic\ntransactions, which eliminated the EDA benefits of reducing the reliance on\npaper. Until controls are improved, auditors may need to continue to request\npaper copies for electronic transactions being audited.\n\nEfforts Taken by JECPO, DFAS and DISA. JECPO, DFAS, and DISA have\ninitiated some security measures for EDA use at DFAS Columbus.\n\n        JECPO Efforts. As of October 2000, JECPO acknowledged\nresponsibility for end-to-end security of EDA and has initiated actions to address\nsuch. Specifically, JECPO with the support of DFAS, is developing the\nsecurity agreement and the system test and evaluation and is updating EDA\ndocumentation as necessary. Based on comments from a draft of this report,\nJECPO stated that a system test and evaluation was conducted the week of\nSeptember 11, 2000, at the Defense Enterprise Computing Center at Ogden,\nUtah, and Columbus, Ohio. Final report recommendations from the system test\nand evaluation will be reviewed and appropriate corrective actions will be\nimplemented. In addition, JECPO is in the process of developing and\ncoordinating Memorandums of Agreement with each of the EDA user\norganizations.\n\n        DFAS Efforts. DFAS acknowledged the need to work with JECPO and\nDISA to improve EDA security. DFAS also acknowledged the need to improve\nsecurity at DFAS Columbus to provide training to its security personnel. In\naddition, DFAS has initiated Memorandums of Understanding to establish a\nworking agreement between DFAS and the data originating sites to authorize\ntheir use of EDA and to permit their discontinuing submission of paper\ndocuments to DFAS Columbus. In the Memorandums of Understanding, DFAS\nstates that the users must comply with DFAS EDA business rules. The business\nrules require that internal controls at the contract writing organization are\nsufficient to ensure that only valid, awarded contracts are placed on EDA, no\npen and ink changes are made to the contracts once they are converted to EDA,\nand the procurement office retains the official signed contract. Further, the\n\n\n\n                                    14\n\x0c     Memorandums of Understanding place responsibility for ensuring the accuracy\n     and validity of documents in EDA on the providers of the contract information.\n\n            DISA Efforts. In addition, as a good first step, DISA computer centers\n     in Columbus and Ogden have implemented secure locations by installing\n     Enforcer software for the EDA document servers for intrusion detection, and all\n     EDA connections to the computer centers are through a firewall. DISA Field\n     Security Operations personnel recommended the intrusion detection software.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n        1. We recommend that the Assistant Secretary of Defense for\n  Command, Control, Communications, and Intelligence revise the Electronic\n  Business/Electronic Commerce Strategic Plan to address specific security\n  responsibilities and requirements.\n\n         ASD(C3I) Comments. The ASD(C3I) concurred.\n\n          Audit Response. Comments from the ASD(C3I) are responsive. We\n  request that the ASD(C3I) specify when the revision to the Electronic Business/\n  Electronic Commerce Strategic Plan will be accomplished in comments on the final\n  report.\n\n        2. We recommend that the Director, Joint Electronic Commerce\n  Program Office:\n\n      a. Develop the System Security Authorization Agreement to provide end-to-\n  end security for the Electronic Document Access system in coordination with\n  the Defense Finance and Accounting Service and the Defense Information\n  Systems Agency to incorporate all relevant elements as outlined in the DoD\n  Information Technology Security Certification and Accreditation Process\n  manual before October 22, 2000.\n\n  JECPO Comments. Comments from JECPO were included in comments from\n  DISA. JECPO concurred and has prepared a draft System Security Authorization\n  Agreement that was completed and delivered to DFAS and DISA on September 7,\n  2000, for coordination. JECPO is in the process of finalizing the agreement.\n\n  Audit Response. JECPO comments are responsive. We request that JECPO\n  provide a completion date for the finalized agreement in comments to the final\n  report.\n\n     b. Develop and execute the Electronic Document Access system test and\n  evaluation to include all Electronic Document Access system users, the Defense\n  Finance and Accounting Service, and the Defense Information Systems Agency.\n\n\n\n\n                                         15\n\x0cJECPO Comments. JECPO concurred and stated that an EDA security test and\nevaluation was completed in September 2000 at DECC Ogden and DECC\nColumbus using the draft System Security Authorization Agreement,\nSeptember 7, 2000, and DITSCAP guidance. JECPO comments also stated that\nfinal recommendations would be reviewed and appropriate corrective actions would\nbe implemented.\n\nAudit Response. The JECPO comments are responsive. We request that JECPO\nprovide a completion date for when the review would be performed and corrective\nactions would be implemented in comments to the final report.\n\n   c. Incorporate security requirements and review guidelines within the\nMemorandums of Understanding with Electronic Document Access document\nproviders and users.\n\nJECPO Comments. JECPO concurred and is in the process of drafting and\ncoordinating the memorandums with each of the feeder and interfacing systems with\nEDA. JECPO anticipates the revised Memorandums of Understanding to be signed\nduring first quarter FY 2001. Also, the signed Memorandums of Understanding\nwill be made a part of the System Security Authorization Agreement, system test\nand evaluation, and EDA security documentation package.\n\n      3. We recommend that the Chief Information Officer, Defense Finance\nand Accounting Service, complete a security training curriculum for the\ninformation security manager, the information system security officer, and the\nterminal area security officer in accordance with the Assistant Secretary of\nDefense for Command, Control, Communications, and Intelligence, June 29,\n1998, memorandum on Information Assurance training.\n\n       DFAS Comments. DFAS concurred and stated that training is being\nprovided agency-wide including security personnel at DFAS Columbus and will be\ncompleted by March 2001.\n\n       4. We recommend that the Director, Defense Finance and Accounting\nService, Columbus:\n\n   a. Require the information security manager to document and execute a\nplan to implement and enforce all applicable security policies and safeguards\nover the systems located at the Defense Finance and Accounting Service\nColumbus.\n\nDFAS Comments. DFAS concurred and stated that the Information Security\nManager has prepared a draft of the Information Security Plan that outlines goals,\nobjectives, specific actions, roles, and responsibilities of DFAS information security\nmanagers. The final version of the Information Security Plan is expected to be\ncompleted by December 31, 2000, with implementation in January 2001.\n\n   b. Develop access profiles for all personnel having access to the Electronic\nDocument Access.\n\n\n\n                                       16\n\x0cDFAS Comments. DFAS nonconcurred and stated that Contract Pay Services\npersonnel do not have the capability to alter or change EDA documents, but can\nonly browse and print documents. DFAS maintains that the contract writing\norganizations control the content of converted EDA documents. In addition, DFAS\nstated that the Terminal Area Security Officers maintain access to systems on a\nspreadsheet for each person and are reviewed to ensure that there are no internal\ncontrol violations. Further, DFAS Columbus stated that they will request a listing\nof all contract pay services personnel that have access to EDA for comparison with\nexisting MOCAS access tables and profiles. The comparison will ascertain whether\nthere are inconsistencies between the functional requirements of the personnel and\ntheir granted access. The DFAS comments indicate that if inconsistencies are\nfound, corrective action will be taken to restrict the query access to only the EDA\ndocuments needed to accomplish assigned duties.\n\nAudit Response. DFAS comments are responsive. Although DFAS nonconcurred\nwith the recommendation, the development of a listing to compare existing MOCAS\ntables and profiles with access to EDA meets the intent of the recommendation.\n\n    c. Require the information security manager to attend training on\ninformation management and information security controls, planning and\nadministration of the security program, access control, network security\nmeasures, electronic commerce security issues, and physical protection of the\ncomputing facilities.\n\nDFAS Comments. DFAS concurred and stated that the Information Security\nManager has attended over 450 hours in formal training. DFAS agreed that a\ncourse curriculum specifically geared to information security management is desired\nand the expected completion date for the information security training is\nMarch 2001.\n\n   d. Assess the resource needs of the information security manager and\nredirect or request additional resources, as necessary, to perform the functions\ndescribed in the Defense Finance and Accounting Service Regulation 8000.1-R,\n\xe2\x80\x9cInformation Management Corporate Policy,\xe2\x80\x9d May 21, 1999.\n\nDFAS Comments. DFAS concurred and stated that the Information Security\nManager is part of the establishment of the Technical Services Organization that\nwill be completed in June 2001.\n\n\n\n\n                                       17\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. Personnel at DFAS Columbus rely on the information\n    accessed from EDA to make more than 82,000 contract payments each month.\n    We performed the audit at DFAS Arlington, DFAS Columbus, and the Joint\n    Electronic Commerce Program Office from December 1999 through July 2000.\n    We reviewed how DFAS implemented controls for an entity-wide security\n    program and access controls for the EDA system. We interviewed the DFAS\n    Columbus information security manager, the DFAS Columbus terminal area\n    security officers, and the DISA security representatives at the Columbus and\n    Ogden Defense Enterprise Computer Centers to determine how they\n    implemented security over EDA. We also performed a walkthrough of the\n    EDA process as it relates to the Mechanization of Contract Administration\n    Services and the Standard Automated Materiel Management System. We\n    reviewed the security readiness reviews performed by DISA Field Security\n    Operations on the Columbus computer center EDA operating software. The\n    reviews identified weaknesses and planned corrective actions for operating\n    software that supports EDA.\n\n    Limitations to Audit Scope. The audit was limited to the review of the general\n    controls for the EDA system at DFAS Columbus. Based on our assessment of\n    the general controls, we determined that a review of the application controls\n    should not be conducted at this time. Subsequent reports on the Electronic\n    Document Interchange and Electronic Document Management systems will be\n    issued.\n\n    DoD-Wide Corporate-Level Government Performance and Results Act\n    Goals. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate-level goals,\n    subordinate performance goals, and performance measures. Currently, DoD\n    has not established a corporate-level goal for information assurance, although\n    the General Accounting Office lists it as a high-risk area. This report pertains\n    to achievement of the following goal, subordinate performance goal, and\n    performance measures:\n\n           \xe2\x80\xa2 FY 2001 DoD Corporate-Level Goal 2: Prepare now for an uncertain\n              future by pursuing a focused modernization effort that maintains U.S.\n              qualitative superiority in key warfighting capabilities. Transform the\n              force by exploiting the Revolution in Military Affairs, and reengineer\n              the Department to achieve a 21st century infrastructure.\n\n           \xe2\x80\xa2 FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n              financial and information management. (01-Dod-2.5)\n\n\n\n\n                                        18\n\x0c           \xe2\x80\xa2 FY 2001 Performance Measure 2.5.1: Reduce the number of\n              noncompliant accounting and finance systems. (01-DoD-2.5.1)\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n           \xe2\x80\xa2 Financial Management Area. Objective: Strengthen internal\n              controls. Goal: Improve compliance with Federal Managers\n              Financial Integrity Act. (FM-5.3)\n\n           \xe2\x80\xa2 Information Technology Management Area. Objective: Ensure\n               that DoD vital information resources are secure and protected. Goal:\n               Assess information assurance posture of DoD operational systems.\n               (ITM-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the Department of Defense. This report\n    provides coverage of the Information Management and Technology and the\n    Defense Financial Management high-risk area.\n\nMethodology\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We did not use technical assistance to perform\n    this audit.\n\n    Audit Type, Dates, and Standards. We performed this financial-related audit\n    from December 1999 through July 2000 according to auditing standards issued\n    by the Comptroller General of the United States, as implemented by the\n    Inspector General, DoD. We used the General Accounting Office Federal\n    Information Systems Control Manual and the DoD Information Technology\n    Security Certification and Accreditation Process as guides for conducting this\n    general control review.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n\n\n\n\n                                       19\n\x0ccomprehensive system of management controls that provides reasonable\nassurance that programs are operating as intended and to evaluate the adequacy\nof the controls.\n\nScope of the Review of the Management Control Program. We reviewed the\nadequacy of management controls in place for EDA. Specifically, we reviewed\nthe implementation of DoD policies and procedures governing EDA. We\nreviewed management\xe2\x80\x99s self-evaluation applicable to those management\ncontrols.\n\nAdequacy of Management Controls. We identified material management\ncontrol weaknesses as defined by DoD Instruction 5010.40. Management\ncontrols were not adequate to ensure the accuracy of electronic transactions\nusing EDA. All recommendations in this report, if implemented, will provide\nthe necessary controls for ensuring the accuracy of the electronic transactions.\nA copy of this report will be provided to the senior official responsible for\nmanagement controls in the ASD(C3I); DFAS Arlington; and DFAS Columbus.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. DFAS Columbus officials did\nnot identify EDA as an assessable unit and, therefore, did not identify or report\nthe material management control weaknesses identified by the audit.\n\n\n\n\n                                    20\n\x0cAppendix B. Prior Coverage\n\nGeneral Accounting Office\n  GAO Report No. GAO/AIMD 99-107 (OSD Case No. 1835), \xe2\x80\x9cInformation\n  Security: Serious Weaknesses Continue to Place Defense Operations at Risk,\xe2\x80\x9d\n  August 26, 1999\n\n  GAO Report No. GAO/AIMD 98-92 (no OSD case number was issued),\n  \xe2\x80\x9cInformation Security \xe2\x80\x93 Serious Weaknesses Place Critical Federal Operations and\n  Assets at Risk,\xe2\x80\x9d September 23, 1998\n\nInspector General\n  Inspector General, DoD, Report No. 99-107, \xe2\x80\x9cComputer Security for the Defense\n  Civilian Pay System,\xe2\x80\x9d March 16, 1999\n\n  Inspector General, DoD, Report No. 99-103, \xe2\x80\x9cDoD Efforts to Implement Year\n  2000 Compliance for Electronic Data Interchange,\xe2\x80\x9d March 5, 1999\n  Inspector General, DoD, Report No. 96-214, \xe2\x80\x9cComputer Security for the Federal\n  Acquisition Computer Network,\xe2\x80\x9d August 22, 1996\n\nAir Force\n  Air Force Audit Agency, Project No. DW000005, \xe2\x80\x9cAccounting for Selected Assets\n  and Liabilities (Fund Balance with Treasury), Fiscal Year 1998 Air Force\n  Consolidated Financial Statements, Defense Finance and Accounting Service \xe2\x80\x93\n  Columbus Center, Columbus OH,\xe2\x80\x9d December 8, 1999\n\n  Air Force Audit Agency, Project No. DW000003, \xe2\x80\x9cAccounting for Revenues and\n  Other Financing Sources (Disbursements), Fiscal Year 1998 Air Force Consolidated\n  Financial Statements, Defense Finance and Accounting Service - Columbus Center,\n  Columbus OH,\xe2\x80\x9d November 22, 1999\n\n  Air Force Audit Agency, Project No. 97064011, \xe2\x80\x9cElectronic Data Interchange\n  Procurement Transactions,\xe2\x80\x9d December 24, 1998\n\n\n\n\n                                       21\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Joint Electronic Commerce Program Office\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nDefense Organizations\nDirector, Defense Contract Management Agency\nDirector, Defense Finance and Accounting Service\n   Director, Defense Finance and Accounting Service Columbus\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n\n\n\n\n                                          22\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Management, Information, and Technology,\n  Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\n\n\n\n\n                                       23\n\x0cAssistant Secretary of Defense for Command,\nControl, Communications, and Intelligence\nComments\n\n\n\n\n                       24\n\x0cDefense Information Systems Agency Comments\n\n\n\n\n                     25\n\x0c26\n\x0c27\n\x0c28\n\x0c29\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      30\n\x0c31\n\x0c32\n\x0c33\n\x0c34\n\x0c35\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report.\n\nF. Jay Lane\nSalvatore D. Guli\nKimberley A. Caprio\nEric L. Lewis\nJacqueline J. Vos\nYolanda C. Watts\nTroy R. Zigler\nStephen G. Wynne\n\x0c'